AWS

Cloud Services & Scoping

  1. Perform a walk-through of the services with the CISO, head of cloud, or security audit team to understand the documented process for whitelisting and approving cloud services

    • Obtain list of services and validate if approval was in line with formal process.

  2. Review the service map and inventory. Ensure all the services that are listed in the inventory are also in the service map.

  3. Ensure all services you would expect to see for CSC workloads are being used.

  4. Ensure the services the CSC is consuming are included in the CSP’s third-party attestation. Only services that are actually being used by the CSC should be in scope for the CSC audit.

  5. Ensure the CSC is using services that are compliant with the framework that is being assessed against. Note: If a specific service is not “certified” as compliant with a particular framework it doesn’t necessarily mean it isn’t compliant in the CSC’s implementation. In some cases, a CSC’s additional security controls and design factors can result in the service’s compliance. Sometimes the CSC will use risk acceptance based on concrete risk analysis to use the service.

  6. Obtain the inventory of the CSC’s cloud systems, along with the network diagrams.

    • Identify assets. Each cloud account has a contact email address associated with it and can be used to identify account owners. It is important to understand that this e-mail address may be from a public e-mail service provider, depending on what the user specified when registering, which is risky and can have serious repercussions.

  7. Verify the CSC’s cloud network is documented and all cloud critical systems are included in the inventory documentation (for their portion of the shared responsibility model).

    • Ensure that resources are appropriately tagged and associated with application data.

    • Review application architecture to identify data flows, planned connectivity between application components and resources that contain data.

  8. Review all connectivity between the network and the cloud platform by reviewing the following: VPN connections where the on-premises public IPs are mapped to CSC’s gateways in any private cloud owned by the CSC.

Governance, Risk, & Personnel

  1. Understand the CSC’s cloud governance strategy (governance tools, structure, monitoring, and reporting)

    • Are they utilizing GRC tools? How are they leveraged? Do they work well with the CSP?

  2. For personnel, ensure the CSC trains their employees on cloud security best practices, verifying security awareness training records.

    • Review the organizational structure to identify cloud appropriate roles (e.g. Chief Digital Officer (CDO)).

    • Identify who owns and manages the CSP relationship, ensuring that is an appropriate person.

    • Do the employees who make decisions about the cloud services have the education and skills to do so?

  3. Ask for a copy of the third party attestation and certifications in order to gain reasonable assurance of the design and operating effectiveness of control objectives and controls

  4. Ask for risk assessment documentation and examine if they reflect the current environment and accurately describe the residual risk environment.

    • Is their cloud usage covered in their risk documentation?

  5. Assess and map third-party attestation to relevant risks to the CSC. The mapping will drive what needs to be audited at the CSP level versus the CSC. Look for the complementary user entity controls (CUEC). Ask the CSC to provide their response to each of the risks that the CSP states resides with the CSC.

  6. Identify key controls using the technology the CSP provides in their services.

    • Understand who the admins and builders are. Who or what are the admins? Who has access to code? Are they the same people? In the cloud, admins can be services, system calls, roles, etc.

    • Confirm the CSC has assigned an employee(s) as authority for the use and security of cloud services and there are defined roles for those noted as key roles, including a Chief Information Security Officer(CISO).

    • Sample question: Ask about any published cybersecurity risk management process standards the CSC has used to model information security architecture and processes.

  7. Look at the CSC’s internal controls for financial reporting. Does the contract include either a relevant attestation report and/or right-to-audit?

  8. Combine both the CSP attestation and your audit of the CSC’s environment to perform a final gap-analysis

    • Review the controls to ensure each control is covered either by the CSP, your audit or both.

    • Assess the control matrix holistically to ensure each control is covered.

PreviousAuditingNextAccess Management¶

Last updated